encrypted-dns-server icon indicating copy to clipboard operation
encrypted-dns-server copied to clipboard

Published 20 hours ago verified publisher icon DNSCrypt

Question about offline key management

Open dapphp opened this issue 5 years ago • 7 comments

Hi Frank,

Thank you for this software first of all! Your hard work on dnscrypt, dnscrypt-proxy, and encrypted-dns-server are much appreciated.

I am considering switching to encrypted-dns-server from other solutions but would like to have the ability to generate the short term keys from a remote system and push them to the resolver and then tell the resolver to reload the keys.

Key generation now looks to be coupled with the server itself and then written to the state file. I don't see any options to use the server to generate and manage keys independently of running a server.

Are there any plans to implement this feature? Currently we use dnsdist with addDNSCryptBind to run a dnscrypt resolver and then custom scripts on a key server to generate certs, push them, and then use some commands to have dnsdist load the new keys.

Thanks for any information you can provide on this subject!

dapphp avatar Jan 04 '20 19:01 dapphp

Hi!

Indeed, key generation is directly handled by the server. The intent was to make it as simple as possible to use, as certificate management can be quite complicated to properly set up.

Adding an option to avoid keys from being generated/rotated would be trivial.

But what mechanism are you thinking of in order to import keys?

State files are not machine-specific. A machine can run the server without accepting any connections, just to update the state file. For such a use case, an option to simply update that file and immediately quit can also be added, so you can run that as a cron job.

Then, the state file can be periodically copied to the actual resolver. Right now, the proxy needs to be restarted to read the new file, but that can be avoided, either by sending a signal or by watching the file for changes (if writes are guaranteed to always be atomic).

Another way can be to leverage the fact that we already have a minimal built-in HTTP server, currently used for the Prometheus metrics API. And add an API to store a new key, only accessible from a predefined IP address.

What do you think? Any other idea?

jedisct1 avatar Jan 05 '20 00:01 jedisct1

Key management is indeed a bit tricky! I believe much of my code is from your old Docker bash script to do key rotation with dnscrypt-wrapper but I can't find the initial reference anymore (so if it was, thank you again!).

My main concern and desire for having this is because I keep wanting to spin up VPS to run this for the community, but I don't trust that anything (especially the server keys) are safe on a VPS. I wouldn't really call it a secure or trusted server if at any time, the VPS provider could snapshot the system and extract keys from disk or memory.

I hadn't thought too much about different ways to update the server with the keys but wasn't expecting anything too "fancy".

A first pass might simply be getting the server to reload certs through a signal, which may mean updating the state file externally, and then supplying it to the server.

Question: I tried to read the code a bit to understand but couldn't quite get it, are there still short term keys in use that are generated from long term keys? Generating the state file offline and transferring to the server is fine, but it defeats the purpose if the state file also has long term signing keys that we don't want to transfer to the server.

To better understand, does encrypted-dns-server still rotate keys periodically (if so how often)? Also, does it ever keep more than one cert in memory to allow for rotation issues and clients to switch to new keys?

My current setup generates a key every 12 hours, that's good for 24 hours and keeps at least 2 of those key/certs active in the dnsdist server at any given time. I'm not sure that encrypted-dns-server works the old way anymore, esp since this does more than just DNSCrypt.

dapphp avatar Jan 07 '20 00:01 dapphp

To better understand, does encrypted-dns-server still rotate keys periodically (if so how often)? Also, does it ever keep more than one cert in memory to allow for rotation issues and clients to switch to new keys?

@jedisct1 thats a good question, so does encrypted-dns generate 2 keys (example 24h, 1 week)? how can we configure it in the .toml file?

greets

ibksturm avatar May 02 '20 13:05 ibksturm

@ibksturm A new key is generated every 8 hour, and is valid for 24 hours.

After a new key has been generated, the previous ones are not served any more, but queries using them are still accepted until they expire.

The TTL and rotation times are hardcoded here.

jedisct1 avatar May 02 '20 14:05 jedisct1

Hi @jedisct1,

First of all, thank you for your time and effort on this wonderful software.

Would like to understand if there is anyway I could check the keys are rotated. Reason being I am not sure if I have configured the file permission correctly for the .state file and if the keys are indeed rotated.

NeutralGround avatar Sep 06 '22 17:09 NeutralGround

Hi @NeutralGround

The easiest way would be to look at the timestamp of the .state file. If should change every 8 hour.

jedisct1 avatar Sep 06 '22 20:09 jedisct1

Thanks @jedisct1, fixed the issue with file permission and nobody user privilege, now it is working fine :)

NeutralGround avatar Sep 08 '22 20:09 NeutralGround